|
| 1 | +--- |
| 2 | +title: Prioritizing Dependabot alerts using metrics |
| 3 | +shortTitle: Prioritize Dependabot alerts using metrics |
| 4 | +intro: 'You can prioritize {% data variables.product.prodname_dependabot_alerts %} in your organization by analyzing the provided metrics. Using this approach, you can tell your developers to focus on the most important vulnerabilities first.' |
| 5 | +allowTitleToDifferFromFilename: true |
| 6 | +permissions: '{% data reusables.permissions.security-org-enable %}' |
| 7 | +versions: |
| 8 | + feature: dependabot-metrics |
| 9 | +topics: |
| 10 | + - Code Security |
| 11 | + - Dependabot |
| 12 | + - Organizations |
| 13 | + - Security |
| 14 | +--- |
| 15 | + |
| 16 | +## Prioritizing {% data variables.product.prodname_dependabot_alerts %} using metrics |
| 17 | + |
| 18 | +Application Security (AppSec) managers often face a flood of {% data variables.product.prodname_dependabot_alerts %}, making it challenging to determine which vulnerabilities to address first. {% data variables.product.prodname_dependabot %} metrics provide valuable insights that help prioritize alerts efficiently, ensuring that critical security issues are resolved promptly. Users can make informed decisions, focusing resources on the most impactful vulnerabilities. This approach strengthens the organization’s security posture and streamlines vulnerability management. |
| 19 | + |
| 20 | +## Understanding {% data variables.product.prodname_dependabot %} metrics |
| 21 | + |
| 22 | +{% data variables.product.prodname_dependabot %} metrics offer detailed information about vulnerabilities detected in your dependencies. Key metrics include: |
| 23 | + |
| 24 | +* **Severity**: Indicates the potential impact of a vulnerability (e.g., low, medium, high, critical). |
| 25 | +* **Exploitability**: Assesses how easily a vulnerability can be exploited. |
| 26 | +* **Dependency relationship**: Differentiates between direct and transitive dependencies. |
| 27 | +* **Dependency scope**: Differentiates between runtime and development dependencies. Determines if the vulnerable code is actually used in your application. |
| 28 | +* **Alerts closed in the last 30 days, including the number of alerts fixed by {% data variables.product.prodname_dependabot %}, manually dismissed, and auto dismissed**: Tracks alert resolution progress. Illustrates how {% data variables.product.prodname_GH_code_security %} can help you detect vulnerabilities early. |
| 29 | +* **Table showing the total number of open alerts for each repository, as well as severity and expoitability data**: Allows you to dig deeper at the repository level. |
| 30 | + |
| 31 | +Additionally, you can specify complex filters, which are combinations of the individual filters that are available. For more information about filters, see [{% data variables.product.prodname_dependabot %} dashboard view filters](/code-security/security-overview/filtering-alerts-in-security-overview#dependabot-dashboard-view-filters). |
| 32 | + |
| 33 | +## Steps to prioritize alerts |
| 34 | + |
| 35 | +These first steps help you identify the {% data variables.product.prodname_dependabot_alerts %} that put your organization the most at risk, so that you can tell your developers which alerts to focus on for remediation. |
| 36 | + |
| 37 | +### 1. Tailor the funnel order to suit your organization's needs |
| 38 | + |
| 39 | +You can customize the default funnel order on the "Alert prioritization" graph to ensure it reflects the unique risk profile, business priorities, and compliance requirements of your organization. See [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-dependabot-alerts#configuring-funnel-categories). |
| 40 | + |
| 41 | +### 2. Focus on critical and high severity alerts |
| 42 | + |
| 43 | +Start by identifying alerts with the highest severity by using the the `severity-critical` or `severity-high` filters. These vulnerabilities pose the greatest risk and are often prioritized by compliance standards. You can then |
| 44 | + |
| 45 | +### 3. Assess exploitability and reachability |
| 46 | + |
| 47 | +Prioritize vulnerabilities that are the most likely to be exploited in your codebase. To identify alerts that are most likely to be exploited, you can use the `epss_percentage` filter associated to a value (for example `epss_percentage>=0.10`). |
| 48 | + |
| 49 | +### 4. Review dependency scope and relationship |
| 50 | + |
| 51 | +Direct dependencies are typically easier to update and may have a greater impact on your application’s security. We recommend addressing these before transitive dependencies when possible. |
| 52 | +Filtering alerts using the `relationship:direct` filter allows us to see vulnerabilities on direct dependencies for supported ecosystems like npm. |
| 53 | + |
| 54 | +Runtime dependencies are used by an application in production. Updating this sort of dependency can address security vulnerabilities, bug fixes, and performance improvements that affect your end users or systems directly. On the other hand, development dependencies are only used during development, testing, or build processes. While important, issues in these dependencies usually don’t impact your running application or its users. |
| 55 | + |
| 56 | +You can use the `scope:runtime` or `scope:development` filters to only display alerts for runtime or development dependencies, respectively. |
| 57 | + |
| 58 | +### 5. Consider the age of alerts |
| 59 | + |
| 60 | +Older alerts may indicate long-standing risks. Regularly review and address aged alerts to prevent security debt from accumulating. For example, once you establish that a specific repository has more alerts that need prioritizing than other repositories, you can: |
| 61 | +1. Click the repository name on the per-repository table to display the alerts for that repository only. |
| 62 | +1. Use the "Older" filter in the **Sort** dropdown list, as well as other sorting criteria, to fine-tune the visualization to alerts meeting your criteria by age. |
| 63 | + |
| 64 | +### 6. Leverage automation |
| 65 | + |
| 66 | +Use {% data variables.product.prodname_dependabot %}’s automated pull requests to quickly remediate vulnerabilities. Integrate these updates into your CI/CD pipeline for faster resolution and improved efficiency. |
| 67 | + |
| 68 | +## Best practices |
| 69 | + |
| 70 | +* **Establish Service Level Agreements (SLAs)** for resolving vulnerabilities based on severity. |
| 71 | +* **Monitor metrics regularly** to identify trends and recurring issues. |
| 72 | +* **Collaborate with developers** to ensure timely updates and minimize disruption. |
| 73 | +* **Document decisions** to provide transparency and support future prioritization. |
0 commit comments